Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.

Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.

4.
1. IntroductionOur malware analysis team in the CrySyS Lab, Budapest worked together with KasperskyLabs on the analysis of the Miniduke malware. Our participation in this research was justifiedby a detected Hungarian incident. A detailed report on the results of our joint efforts hasbeen published by Kaspersky Labs Securelist blog site (see link below). The Kaspersky Labsreport describes what we currently know about the operation of Miniduke including itsstages, and also information on the C&C infrastructure and communications. In this report,we summarize the indicators of a Miniduke infection, and give specific hints on its detection.The Kaspersky Labs report is available at https://www.securelist.com/en/blog/208194129/The_MiniDuke_Mystery_PDF_0_day _Government_Spy_Assembler_Micro_Backdoor

5.
2. Known malware samplesThe available malware samples are highly obfuscated, and compiled by a polymorphiccompiler. The attackers were able to produce new variants with only a few minutesdifference between compile times. Therefore the number of distinct samples could be verylarge.bg_<sthg>.gif and bg_<sthg>.gif_dec refers to pieces of stage 2 of the malware, which aredownloaded from the C&C server by the stage 1 code. bg_<sthg>.gif is a gif file that containsencrypted code, bg_<sthg>.gif is the corresponding decrypted file. bg_<sthg>.gif is generally24484 bytes long, while bg_<sthg>.gif_dec is 22784 bytes long.3e71a9f492101bde28cf9f024d87b496 bg_aefk.gifa4ad6b55b1bc9e16123de1388f6ef9bf bg_aefk.gif.dec92a2c993b7a1849f11e8a95defacd2f7 bg_afvd.gif297ef5bf99b5e4fd413f3755ba6aad79 bg_afvd.gif.dec06def6c642dcbd58d0291ac110a57274 bg_dafd.gif2679e112f908fbf4ac96d87f7fdc46ca bg_dafd.gif.decafe0190820b3edc296daefe6d1611051 bg_dasfs.gife196fa056d1a728d9ba9654fbc482777 bg_dasfs.gif.dec7049aa581874752093bb98850ff45dac bg_dfdsh.gif441ee6a307e672c24d334d66cd7b2e1a bg_dfdsh.gif.dece975e87bec844c882bf6d60604fc996b bg_dfell.gifa58e8e935341b6f5cc1369c616de3765 bg_dfell.gif.dec0a2da3c2c6b94c925459bc5e32bbb03c bg_dfesik.gifd2f39019bfa05c7e71748d0624be9a94 bg_dfesik.gif.dec0a5c9055c2b35bee78c911dfc29fe1a4 bg_dfeu.gifecd349138a6ef7d7ca40b9ce70dbb575 bg_dfeu.gif.dec21f16767e53da7fef8a1b5d4159256a9 bg_dfew.gif935892bb70d954efdc5ee1b0c5f97184 bg_dfew.gif.decbba6b0d31553cd8df0c45b85c0495816 bg_dfews.gif48bbce47e4d2d51811ea99d5a771cd1a bg_dfews.gif.decb47b36484cfb0ab38ef481e23275fafb bg_dflj.gifb68677e04fcc9103560bb0a5e5c7303f bg_dflj.gif.dec5e757aa35087ca7c479c82d0d5502f51 bg_dfoiu.gif27212d5e5d40a5e5c1742aac58dc59a8 bg_dfoiu.gif.dec4193796cffa19e2e5cace58e9f10c599 bg_dfrio.gifaab06d4ab78336b7315201637d9f1b0e bg_dfrio.gif.dec474fa3c28d867f7113c060020b3e268b bg_dfwe.gif05d10323111f02233163a6742556c974 bg_dfwe.gif.decf0b327565c25128ad15f9c378bc4ea60 bg_dsaf.gifd9b68522053396644bcb72448d6cf327 bg_dsaf.gif.decaf906032917674f1f39a260b2b9fe0fb bg_dsaffe.gif6507f6b1e2ce05dccf329b8cab078071 bg_dsaffe.gif.dec633b59e7b97ef4574804ca35669fbf95 bg_dsef.gifb100d530d67cfbe76394bb0160567382 bg_dsef.gif.dec203a6ff36ee2cd58daf5680b5a6890ec bg_dsert.gif2d552b20e8164f3d4250fd8871b11b0f bg_dsert.gif.dec877a34931b087d04d387633824d9c813 bg_dwed.gife990e0d1ee90cd10c4be7bfde6cc3e5a bg_dwed.gif.decc8373db89be0a155673e0cd414442fc1 bg_edf.gif8233c532bfcc4ccf2831765eae084409 bg_edf.gif.dec

11.
3. Detection of the running malwareDue to a large number of compiled samples, there is a high chance that the current version isdifficult to detect by signatures. Yet, there are common features in the samples that can beused to identify the malware components.In every sample we checked, the “Program Files/Startup” contains a file with “.lnk”extension after installation. This is used to start up the malware after the computer isrebooted.An example of the lnk file created by the malware:The contents of the .lnk files are similar to the below described path and file, but randomnames are used. The extension of the dll called is generally “.tmp” or “.cat” or “.db” (notsure about full list) and the export function called has a random name."C:WINDOWSsystem32rundll32.exe"C:DOCUME~1ALLUSE~1APPLIC~1base.cat,JorNgoqThe running process of the malware can be pinpointed, e.g., by using ProcessExplorer. Therunning copies of stage 1 and 2 appear as separated rundll.exe processes. It is very useful tocreate a memory dump from these running processes, e.g., by using SysInternalsProcessExplorer.On the picture below, the export function name they use is GqOlls. The names seem tofollow a pattern: 6 chars long with two upper case letters.

12.
A not fully cross-checked information is that during installation the malware will be copied intwo copies to the system and the two executables differ. This might mean that theexecutable modifies itself.For example, we recovered the following two files: md5sum base.cat :113e6fc85317fdd135e3f5f19e6c7a58 *base.cat md5sum ~6rld.tmp : c786a4cdfe08dbe7c64972a14669c4d1 *~6rld.tmpwhere base.cat is the startup file, which is created based on ~6lrd.tmp. base.cat is stored inthe “All users” directory, whereas ~6lrd.tmp is stored in a user’s directory, e.g., in the guestuser directory as “C:Documents and SettingsguestLocal SettingsApplicationData~6rld.tmp”This user directory contains at least one more file, update.cmd with a specific content thatcould be used for detection. E.g., a search for any *.cmd files with content “TASKKILL /f /IMacro*” might be a a detection tool of this stage.

13.
As for stage 3 of the attack, it is important to note that it is not yet analyized deeply. So oncea victim downloads the ~300k long piece of code, we don’t know what happens with theprevious stages, and we have no information about detections once this stage is reached,except the usage of the C&C server news.grouptumbler.com.4. C&C communicationThere are multiple layers of C&C communications in the malware. First the malware usesGoogle search to receive information from its master. Then, it uses the Twitter messagingservice looking for the twits of a specific Twitter user. Commands received via this channeltrigger the download of stage 2 and stage 3 code from the C&C server.We identified the following C&C servers delivering stage 2 and stage 3 codes: Attack location C&C server C&C IP / location path on C&C Hungary arabooks.ch 194.38.160.153 / /lib/index.php Switzerland /srch/index.php /forumengine/index.php /events/index.php /groups/[different] Luxembourg artas.org 95.128.72.24 / /engine/index.php France /web/index.php Belgium tsoftonline.com 72.34.47.186 / /views/index.php United States (Multiple) www.eamtm.com 188.40.99.143 / /piwik/web/index.php Germany

14.
The C&C server used by stage 3 of the malware is news.grouptumbler.com and it is locatedin Panama. At the time of this writing, port 80 seems to be closed on this server. Addressand open port information is below:news.grouptumbler.com/news/feed.phpIP: 200.63.46.23Interesting ports on 200.63.46.23:Not shown: 65524 closed portsPORT STATE SERVICE22/tcp open ssh111/tcp open rpcbind920/tcp open unknown1437/tcp open tabula46436/tcp open unknown Figure 6 – Stage 3 C&C server information

15.
4.1. Detection of C&C communicationsBasic detection can be based on 3 queries that are initiated by the victim computers withinseconds.www.google.com – port TCP/80 - HTTPtwitter.com –port TCP/443 - SSLwww.geoiptool.com –port TCP/80 - HTTP Figure 7 – Initial web page – and possibly DNS queries issued by the malwareKnown search strings in Google search (see below) can also be used to detect the malware.Unfortunately, these strings are most likely unique to each C&C server or victim, thusunknown samples might use other strings, but possibly with the same length.lUFEfiHKljfLKWPRHkyeiIDKiroLaKYrlUFEfiHKDroLaKYr Figure 8 – Google search strings used by the malwareThe malware also sends a query to the geoiptool. An example is shown below:GET / HTTP/1.1User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 6.0; en-US; Trident/5.0)Host: www.geoiptool.com Figure 9 – Geoip lookup query sample – Agent string might be different for each query!4.2. Initial C&C communicationInitial communications with the stage 2/3 delivery C&C servers (such as arabooks.ch) can beused to develop detection signatures as follows:The malware retrieves the URL using a Twitter query as described earlier. Then, we canobserve the first query from the victim towards the stage 2/3 delivery C&C server. This querycontains pure HTTP traffic on port 80 to the server following the template below.GET /original/path/shortname/index.php?e=aaaaaaaaa

16.
where: • shortname can be a number of strings, generally human readable (e.g. lib, engine, forum, forumengine etc.) • "e=" is not constant, can be anything, but generally 1-2 letters long • aaaaaaaaa stands for some Base64-like text (see details below) • the servers used are assumed to be legitimate sites, just hacked by the attackers.Based on this format, we can detect a valid query as follows: • The name of the 1st GET parameter should be discarded • this means "e=" is not important • we saw only one GET parameter, queries with multiple parameters are likely not usedFor detection, the Base64-like string "aaa…" should be first modified as follows: • "-" should be replaced by "+" • "_" should be replaced by "/"This results in correct Base64 encoding, which can be decoded with library functions such asbase64_decode. After decoding, a string of data, partially binary will be available. Parts areseparated by the delimiter character "|". The format and a numerical example are below: <binary data ( ~100 bytes)>|<numerical ID ( ~10 digits)>|<version number> e.g., <binary data>|5551115551|1.13As the binary data itself may contain the ”|” character, parsing should start from the end(i.e., the numerical ID starts from the second “|” character from the end). In additional, theID length may vary (not fully confirmed), but it seems to be around 10 digits. Finally, theversion number always follows the pattern <1digit><dot><two digits>, e.g., 1.1X 3.1X.

20.
Examples for twits containing the URL of the C&C server are shown below:The weather is good today. Sunny! uri!wp07VkkxYt3Mne5uiDkz4Il/Iw48Ge/EWg==Albert, my cousin. He is working hard. uri!wp07VkkxYmfNkwN2nBmx4ch/Iu2c+GJow39HbphLMy native town was ruined by tornado. uri!wp07VkkxYt3Md/JOnLhzRL2FJjY8l2It Figure 15 – Known twitter answers for C&C discoveryThe twitter information is currently not very useful for content based detection, as it isdownloaded through SSL connection, and therefore, IDS rules can only be applied if someSSL proxy is used.

21.
An interesting observation is that this user follows 4 partners, most likely for deception.